From 7a586e5c19f3d1ecc3fefef084ce992072ee7f60 Mon Sep 17 00:00:00 2001
From: Peter Bacon Darwin
Date: Sat, 5 Oct 2013 10:49:09 +0100
Subject: fix(*): protect calls to hasOwnProperty in public API

Objects received from outside AngularJS may have had their `hasOwnProperty`
method overridden with something else. In cases where we can do this without
incurring a performance penalty we call directly on Object.prototype.hasOwnProperty
to ensure that we use the correct method.

Also, we have some internal hash objects, where the keys for the map are provided
from outside AngularJS. In such cases we either prevent `hasOwnProperty` from
being used as a key or provide some other way of preventing our objects from
having their `hasOwnProperty` overridden.

BREAKING CHANGE: Inputs with name equal to "hasOwnProperty" are not allowed inside
form or ngForm directives.

Before, inputs whose name was "hasOwnProperty" were quietly ignored and not added
to the scope.  Now a badname exception is thrown.

Using "hasOwnProperty" for an input name would be very unusual and bad practice.
Either do not include such an input in a `form` or `ngForm` directive or change
the name of the input.

Closes #3331---
 src/ngResource/resource.js | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/ngResource')

diff --git a/src/ngResource/resource.js b/src/ngResource/resource.js
index 2aa11f52..2498bdf3 100644
--- a/src/ngResource/resource.js
+++ b/src/ngResource/resource.js
@@ -347,6 +347,9 @@ angular.module('ngResource', ['ng']).
 
         var urlParams = self.urlParams = {};
         forEach(url.split(/\W/), function(param){
+          if (param === 'hasOwnProperty') {
+            throw $resourceMinErr('badname', "hasOwnProperty is not a valid parameter name.");
+          }
           if (!(new RegExp("^\\d+$").test(param)) && param && (new RegExp("(^|[^\\\\]):" + param + "(\\W|$)").test(url))) {
               urlParams[param] = true;
           }
-- 
cgit v1.2.3